Solved

Active Directory Lightweight Directory Services (AD-LDS) - What are you using it for, and how?

Posted on 2015-02-24
5
215 Views
Last Modified: 2015-02-26
Hello,

I am working with AD-LDS and am trying to create a single sign-on solution that can be used for web servers / applications / etc....can anyone describe what they are using AD-LDS for and how they're syncing from Active Directory?
0
Comment
Question by:jkeegan123
  • 3
  • 2
5 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
AD-LDS is not the right tool for that job. If you are looking for single sign-on, you want ADFS.
0
 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
Perhaps I was not being clear, I thought that AD-LDS was the right tool here.  What i want to do is combine multiple directories using AD-LDS so that (5) or so Windows domains in different sites that are connected via VPN without trusts can make use of the Single AD-LDS directory that we pull / sync accounts to from each of the 5 domains.  

Am I getting warmer?  :)
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
*IF* you want single sign-on, no. Windows specifically hardens credential storage on DCs so there is no legitimate way to sync credentials to AD-LDS. Also AD-LDS doesn't have Kerberos support built in like AD-DS. You could create a custom property in AD-LDS (after all, that's why it is there) to store passwords (hashed or otherwise) but you'd be writing your own authentication mechanism to write that property and it would *not* be an SSO experience at all. Because it'd be a custom property and a custom authentication method, there is no way to even enforce that the passwords are the same.

AD-LDS *does* support proxying authentication back into AD-DS but it only does so if AD-LDS is a member server and it only does so to a domain controller on the domain in which the AD-LDS server is a member of. Which would not work with your 5-domain scenario with no trusts, as it would not be able to proxy requests to four of the domains and the DC's not having trusts, would not be able to handle the proxied request.

In short, if you have permissions to sync AD objects, I'm not sure why you wouldn't implement trusts. That'd be a far more efficient process. And for most SSO web scenarios, you'll need ADFS any which way. So I still don't see AD-LDS being the right tool here.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
Comment Utility
Thank you, that was a very succinct explanation for why this will not work.

I REALLY think that the tech community at large SEVERELY misunderstands what AD-LDS can and cannot do...What I learned through this long journey is:  

- Exactly how to work and setup AD-LDS --> It's very useful and cool
- Exactly the nuances to setup Schema differences between domains / partitions.  This was useful in and of itself.
- The tech community enjoys very much posting 75% of their experience and missing the last 25%.  This is probably because most people have no idea exactly what this is capable of.

Thank you VERY much for your help.

I still need to sync passwords between domains, this is more of a service-provider relationship than a true multi-domain scenario where domains can be trusted...do you have any tips on using another tool to do this, perhaps Forefront Identity Management (FIM)?  I see that RACKSPACE, Intermedia, etc...do similar syncs that I'm talking about, where we have to target a specific OU for source accounts (can't take the entire directory, bad idea...) and PCNS (Password Change Notification Service) runs on every DC to notify the provider of the password change.

Do you know of any way to implement something like this?  I'm willing to go down the FIM road, but I need to know if this is the right tool before going on this journey.

Thanks!
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
FIM can do this and is actually what Microsoft's own implementation of dirsync was built on.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now